I am trying to disable SSLv2 completely within WebLogic and am using the information contained here (http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/ssl.html#wp1194346) and have specifically sure I'm using jsafeFIPS.jar and the "-Dweblogic.security.SSL.nojce=true" argument. I want to allow ONLY TLS and SSLv3 communication. Unfortunately, when I attempt to test this setup by forcing my browser to attempt a connection over SSL2 (and any available cipher), WebLogic will still allow me to initiate a connection and exchange certificates. To be clear, that means the packet flow looks like this when I try https://server/:

(the stuff below is the tear down of the TCP stream)
SERVER-ME: FIN,ACK
ME-SERVER: ACK
ME-SERVER: FIN,ACK

The problem here is that I don't want WebLogic to walk down the path of offering ciphers it knows it will immediately reject. And I'd prefer it not even respond when SSLv2 hellos are offered. I'm lost at this point -- is this something WebLogic can do?

I just wanted to add one more thing here: the functionality on the SSL-based node manager is even worse. Here's how that packet flow appears. The thing to focus on here is that the tear down of the TCP stream is actually initiated by me and not by the server. I'm using a browser to test this, so it looks like the browser is trying to make something happen and then timing out. To be clear, it takes me almost exactly 30 seconds before I tear down my side of this TCP session (probably a timeout).

Specifying the Version of the SSL Protocol
WebLogic Server supports both the SSL V3.0 and TLS V1.0 protocols. When WebLogic Server is acting as an SSL server, the protocol that the client specifies as preferred in its client hello message is used. Note that WebLogic Server does not support SSL V2.0. When WebLogic Server is acting as an SSL client, it specifies TLS1.0 as the preferred protocol in its SSL V2.0 client hello message, but can use SSL V3.0 as well, if that is the highest version that the SSL server on the other end supports. The peer must respond with an SSL V3.0 or TLS V1.0 message or the SSL connection is dropped.